Executive Summary
A critical vulnerability in WinRAR, identified as CVE-2023-38831, is being actively exploited by threat actors to execute arbitrary code on a victim’s machine. This flaw allows attackers to craft malicious ZIP archives that can deliver malware when a user attempts to view a seemingly benign file. This vulnerability has been used in targeted attacks, and immediate patching is crucial to prevent compromise.
Background on WinRAR
WinRAR is a widely used file archiver utility for Windows. Its ability to create and view archives in various formats, such as RAR and ZIP, has made it a popular tool for both personal and professional use. This widespread adoption makes it a high-value target for cyber attackers seeking to distribute malware.
Vulnerability Details
- CVE-ID: CVE-2023-38831.
- CVSS Score: 7.8 (High).
- EPSS Score: 93.65
- Vulnerability Type: Insufficient Verification of Data Authenticity.
- Affected Software: WinRAR versions prior to 6.23.
Infection Method
The malware leverages the vulnerability through a multi-step attack chain:
- Initial Access: Attackers craft a malicious ZIP archive containing a benign file (e.g., a PDF or JPG) and a folder with the same name.
- Exploitation: When a user opens the archive and double-clicks the benign-looking file, the vulnerability is triggered.
- Script Execution: Instead of opening the benign file, WinRAR is tricked into executing a script or executable within the specially named folder.
- Payload Delivery: The executed script then downloads and installs the primary malware payload, such as MATCHBOIL, MATCHWOK, or DRAGSTARE.
- Persistence: The malware establishes persistence on the infected system, often through scheduled tasks.
Malware Behavior and Capabilities
The malware delivered through this exploit exhibits a range of malicious capabilities, including:
- Backdoor Access: Provides the attacker with remote control over the compromised system.
- Credential Theft: Steals sensitive information, including login credentials from web browsers.
- Data Exfiltration: Collects and exfiltrates files with specific extensions, such as “.docx,” “.pdf,” and “.xls.”
- Command Execution: Executes arbitrary PowerShell commands received from a command-and-control server.
Techniques Include
The observed attack activities align with several MITRE ATT&CK techniques:
T1020 – Automated Exfiltration: Used by DRAGSTARE to steal files and exfiltrate sensitive data from the victim’s system.
T1566.001 – Phishing: Spearphishing Attachment: Used for initial access via malicious HTA, LNK, and archive file attachments.
T1059.001 – Command and Scripting Interpreter: PowerShell: Used to execute obfuscated PowerShell commands embedded by the MATCHWOK backdoor.
T1053 – Scheduled Task/Job: Scheduled Task: Used for persistence by creating scheduled tasks that execute the malware payloads.
T1027 – Obfuscated Files or Information: Employed by UAC-0099 to evade detection through obfuscated VBScript and PowerShell scripts.
T1105 – Ingress Tool Transfer: Downloading additional payloads such as MATCHWOK and DRAGSTARE from command-and-control servers.
Impact
- Remote takeover of the affected device.
- Unauthorized access to sensitive personal and corporate data.
- Lateral movement within corporate networks.
- Potential for widespread malware infections.
Mitigation Steps
- Patch Software: Update WinRAR to version 6.23 or a later version.
- Isolate Devices: If patching is not immediately possible, consider restricting the use of WinRAR on critical systems.
- Threat Hunting:
- Monitor for suspicious processes originating from WinRAR.
- Look for unusual network traffic to known malicious domains or IPs.
- IOC Monitoring: Leverage indicators of compromise (IOCs) associated with malware families like MATCHBOIL and DRAGSTARE for early detection.
- User Awareness: Educate users about the risks of opening attachments from untrusted sources, even if they appear to be harmless documents.
Instantly Fix Risks with Secure Patches Inc.
Secure Patches Inc. offers a continuous, automated solution to address risks exploited in the wild. It supports a wide range of third-party applications across Windows, macOS, and Linux, ensuring that your systems are protected against the latest threats.